Where is the Github asc file for their pgp signing key?

[Zerophase]

Select Topic Area

Question

Body

The releases I'm downloading from Github are signed with key B5690EEEBB952194. That's Github's signing key. However, I cannot find the asc file for confirming the executable I have downloaded is actually from Github's servers, and not some man in the middle attacking my infrastructure.

Obviously, it would be preferable for the developer to sign their own releases with their own key. However, if I can find the Github asc file at least I can confirm whether the file is signed by Github's key or not.

Does anyone know where that file is so I can confirm the release contents are signed?

[GabrielLins64]

GitHub does not generally provide an .asc file for their keys as they focus on verifying the authenticity of commits and tags. This is usually done by the source maintainer. The best way to verify the authenticity of a release is to verify the tag associated with the release, then verify the commit associated with the tag:

1. Click on the tag of your release and copy the commit hash:

2. show the signature for that commit hash with

git show --show-signature 6ce44a9

Then compare the info with the github (by clicking on the commit hash of the first image:

[Zerophase]

I'm trying to verify a download from a release. Github really does not have their key in asc format anywhere?

[GabrielLins64]

I dont think so. Sorry. Generally the projects maintainers are the ones who provides the GPG signature for their files. You can take a look in the GitHub's docs for code security and commit signature verification.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬